Hide Forgot
Description of problem: -E, --extract Extract customizable commands, for use within a transaction If the extract option is used in a transaction then the security range is lost. Version-Release number of selected component (if applicable): policycoreutils-2.5-8.el7.x86_64 policycoreutils-python-2.5-8.el7.x86_64 How reproducible: * always Steps to Reproduce: # seinfo --nodecon Nodecon: 0 # semanage node -l # semanage node -E # semanage node -a -M 255.255.255.0 -p ipv4 -t node_t -r s0-s0:c0.c1 192.168.0.123 # seinfo --nodecon Nodecon: 1 nodecon 192.168.0.123 255.255.255.0 system_u:object_r:node_t:s0 - s0:c0.c1 # semanage node -l IP Address Netmask Protocol Context 192.168.0.123 255.255.255.0 ipv4 system_u:object_r:node_t:s0-s0:c0,c1 # semanage node -E node -a -M 255.255.255.0 -p ipv4 -t node_t 192.168.0.123 # Expected results: * the security range is also printed
The same issue is reproducible with semanage interface: # seinfo --netifcon Netifcon: 1 netifcon xyz system_u:object_r:netif_t:s0 - s0:c0.c1 system_u:object_r:netif_t:s0 - s0:c0.c1 # semanage interface -l SELinux Interface Context xyz system_u:object_r:netif_t:s0-s0:c0,c1 # semanage interface -E interface -a -t netif_t xyz #
My guess is that all semanage sub-commands which support -E, --extract options suffer from this issue: # semanage fcontext -l -C # semanage fcontext -a -t tmp_t -r s0:c0.c1 /pokus # semanage fcontext -l -C SELinux fcontext type Context /pokus all files system_u:object_r:tmp_t:s0:c0.c1 # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D fcontext -a -f a -t tmp_t '/pokus' # semanage fcontext -E fcontext -a -f a -t tmp_t '/pokus' # The export sub-command of semanage does not print the MLS/MCS security range either.
Because the export option for user and login sub-command prints MLS/MCS security range: # semanage user -E user -a -L s0 -r s0 -R 'user_r' user_u user -a -L s0 -r s0 -R 'xguest_r' xguest_u # semanage login -E login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__ login -a -s guest_u -r 's0' guest-user login -a -s staff_u -r 's0-s0:c0.c1023' staff-user login -a -s user_u -r 's0' user-user login -a -s xguest_u -r 's0' xguest login -a -s xguest_u -r 's0' xguest-user # it would be great if the export option also printed MLS/MCS range in case of other sub-commands. Otherwise the export/import mechanism looses information. # grep semanage /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh if [ -x /usr/sbin/semanage ]; then /usr/sbin/semanage export | /usr/sbin/semanage import #
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2160